https://github.com/luis261/symantec-cloud-edr-xsoar-integration

Cortex XSOAR Integration for the SES EDR API at https://api.sep.securitycloud.symantec.com
https://github.com/luis261/symantec-cloud-edr-xsoar-integration

edr endpoint-security python3 security-automation symantec xsoar

Last synced: 3 months ago
JSON representation

Cortex XSOAR Integration for the SES EDR API at https://api.sep.securitycloud.symantec.com

• Host: GitHub
• URL: https://github.com/luis261/symantec-cloud-edr-xsoar-integration
• Owner: luis261
• Created: 2023-10-30T09:51:33.000Z (over 1 year ago)
• Default Branch: main
• Last Pushed: 2024-07-22T05:33:33.000Z (11 months ago)
• Last Synced: 2024-07-30T21:06:46.929Z (10 months ago)
• Topics: edr, endpoint-security, python3, security-automation, symantec, xsoar
• Language: Python
• Homepage: https://apidocs.securitycloud.symantec.com/
• Size: 55.7 KB
• Stars: 0
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
This is the right code for you if you're planning on issuing EDR commands from XSOAR via calling endpoints of https://api.sep.securitycloud.symantec.com

> [!NOTE]

> see corresponding vendor documentation under https://apidocs.securitycloud.symantec.com/ > "Symantec™ Endpoint Security (SES)"; **so not the other Symantec EDR variant (which is hosted on prem, exposing API endpoints containing `/atpapi/`)** (the structure/routes of those APIs are NOT identical/closely related/easily interchangeable)  

> the non-cloud equivalent would be: https://github.com/demisto/content/tree/master/Packs/SymantecEDR/Integrations/SymantecEDR

## Setup

When creating a new instance of this integration, you'll need to provide the following required parameters:

- a target URL where the API routes are hosted (`https://api.sep.securitycloud.symantec.com` by default)

- an OAuth client token

> [!TIP]

> I had to prepend the OAuth token with `Basic ` to make it work

## Troubleshooting

> [!WARNING]

> you're getting 403's when testing an instance and you're sure it's not the creds?

> - you might have to switch your config to a more specific subdomain depending on your location, e.g. `https://api.sep.eu.securitycloud.symantec.com` instead of `https://api.sep.securitycloud.symantec.com`

> - the reason for the 403's is that the Python `requests` library strips auth headers on redirects to prevent leakage, so once your requests arrive at their destination, they're unauthenticated

> - if you're unsure what subdomain you need and can't figure it out by trial and error, it might make sense to either debug with curl (outside of XSOAR) or override `requests` functionality so that the prepared requests (containing the target host you're being redirected to) during redirects are emitted to a debug log